Project

General

Profile

Bug #6246

Default provisioning template has SELinux set to permissive

Added by Partha Aji over 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Hosts
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1100582
Cloned specifically for the Katello component. The SELinux setting in the default Katello Kickstart file is set to permissive, but should be enforcing.

May be blocked on bug #1100367 which will update the services in Foreman's kickstart so iptables etc are enabled after provisioning.

++ This bug was initially created as a clone of Bug #1100367 ++

Description of problem:
Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; )

Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140521.0

How reproducible:
always

Steps to Reproduce:
1. Provision guest with these provisioning templates (or just inspect them):
Kickstart default
Kickstart RHEL default
Katello Kickstart Default for RHEL

Actual results:
Not all issues are found in all templates, but what I consider most important: * system is not registered automatically * SELinux in permissive * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed

Expected results:
After installation, system should be registered by default.
SELinux should be in enforcing
At least ip*tables services should be running with sane configuration
Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)

Associated revisions

Revision fdac64a9 (diff)
Added by Partha Aji over 6 years ago

Fixes #6246, bz1100582 - Services mods for KS templates

Some of the services like sendmail,cups,pcmcia were unecessarily
disabled. Removing them from being disabled.

Revision 437dc661
Added by Partha Aji over 6 years ago

Merge pull request #4280 from parthaa/provisioner

Fixes #6246, bz1100582 - Services mods for KS templates

History

#1 Updated by Eric Helms over 6 years ago

  • Target version set to 48
  • Difficulty set to easy
  • Triaged set to Yes

#2 Updated by Partha Aji over 6 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Applied in changeset katello|commit:fdac64a999408c57a679a726bad66d80ee49680c.

#3 Updated by Eric Helms about 6 years ago

  • Legacy Backlogs Release (now unused) set to 13

Also available in: Atom PDF